HIPAA Privacy Rule Requirements for Covered Entities and Business Associates, Explained

Covered Entities Overview

Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in standard transactions. If you fall into one of these categories, the HIPAA Privacy Rule governs how you create, use, disclose, and safeguard Protected Health Information (PHI) in any form—paper, verbal, or electronic.

Core covered entity responsibilities include publishing a clear Notice of Privacy Practices, designating a privacy official, training your workforce, and adopting policies for PHI safeguarding. You must limit uses and disclosures to what the rule permits or what an individual authorizes, and you must honor individual rights such as access, amendment, restrictions, and confidential communications.

Operationally, you need reasonable administrative, physical, and technical safeguards; a process to receive and investigate complaints; sanctions for workforce violations; and documentation retained for at least six years. These activities anchor Privacy Rule compliance and reduce the risk of impermissible disclosures.

Business Associates Roles

Business associates are vendors or partners who perform functions or services for a covered entity that involve PHI—examples include claims processing, billing, data analytics, EHR hosting, cloud storage, and external auditing. Subcontractors that handle PHI on a business associate’s behalf are also business associates.

Business associates must implement safeguards, follow the Minimum Necessary Standard, use or disclose PHI only as permitted by their contract, and report security incidents and breaches. They are directly liable for certain violations of the Privacy Rule and must ensure downstream subcontractors agree to the same protections.

In practice, you should inventory all external parties with access to PHI, verify their role, and ensure each relationship is governed by appropriate Business Associate Agreements that define permissible uses and PHI safeguarding expectations.

Protected Health Information Definition

PHI is individually identifiable health information created or received by a covered entity or business associate that relates to an individual’s past, present, or future health, health care, or payment for care. It includes identifiers like names, contact details, and device or biometric data when linked to health information, and it applies across paper, verbal, and electronic formats.

PHI excludes de-identified information. You can de-identify data via expert determination or the “safe harbor” method that removes specified identifiers. A limited data set—used for operations, research, and public health—excludes direct identifiers but remains PHI and requires a data use agreement.

Other exclusions include student records protected by FERPA and employment records held by a covered entity in its role as employer. PHI protections extend to decedent information for 50 years following death.

Privacy Rule Application Scope

The Privacy Rule applies to covered entities and business associates whenever they use, disclose, or request PHI. Permitted uses and disclosures include treatment, payment, and health care operations, as well as certain public interest activities (for example, public health reporting, health oversight, and specific law enforcement purposes). Some disclosures are required—such as to the individual upon request and to the Department of Health and Human Services for compliance investigations.

Privacy Rule compliance also means respecting individual rights: timely access to records, amendments to inaccurate or incomplete PHI, an accounting of certain disclosures, the right to request restrictions (including paying out-of-pocket to restrict health plan disclosures), and confidential communications through alternative means or locations.

You must evaluate state laws that are more stringent than HIPAA, because those stricter provisions typically prevail. Maintain a governance process to review new laws, update policies, and keep notices and training current.

Minimum Necessary Standard Compliance

The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to the minimum needed to accomplish the purpose. Build role-based access, define routine disclosures with preset criteria, and require documented justification for non-routine requests. Configure systems, queries, and reports to filter out unnecessary fields whenever feasible.

For day-to-day operations, implement procedures for identity verification, approval workflows for atypical disclosures, and data segmentation when only part of a record is needed. Apply retention schedules to reduce exposure and audit logs to monitor workforce access.

Exceptions to the Minimum Necessary Standard

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to the individual who is the subject of the PHI.
• Uses or disclosures made pursuant to a valid authorization.
• Uses or disclosures required by law, and disclosures to HHS for compliance review.

Business Associate Agreements

Business Associate Agreements (BAAs) are contracts that spell out how a business associate may use and disclose PHI and what safeguards are required. A BAA must limit PHI to the agreed purposes, require appropriate protections, and prohibit uses or disclosures not permitted by the agreement or the Privacy Rule.

Effective BAAs require the business associate to: implement administrative, physical, and technical safeguards; comply with the Minimum Necessary Standard; report incidents and breaches without unreasonable delay (no later than 60 days after discovery); provide access, amendments, and an accounting of disclosures where applicable; ensure subcontractors provide equivalent protections; and return or destroy PHI at termination or extend protections if destruction is infeasible.

You should map data flows, validate the legal entity that signs the BAA, define breach reporting channels, set performance metrics and audit rights, and align security requirements with the sensitivity of the PHI involved.

Hybrid Entities and Their Designation

A hybrid entity is a single legal entity that performs both HIPAA-covered and non-covered functions, such as a university with a student health clinic. Through Hybrid Entity Designation, the organization identifies its “health care component(s)” that are subject to HIPAA while isolating non-covered components from PHI.

Designation must be documented, and the health care component must apply full Privacy Rule compliance, including workforce training, policies, and PHI safeguarding. Establish internal firewalls so non-covered components do not receive PHI unless a disclosure is permitted. If an internal component performs services for the health care component, bind it to equivalent restrictions or include it within the designated component.

In summary, the Privacy Rule’s framework—clear covered entity responsibilities, defined business associate roles, precise PHI handling, scoped permissions, the Minimum Necessary Standard, strong BAAs, and careful hybrid entity boundaries—works together to keep PHI safeguarded while enabling care, payment, and operations.

FAQs

What information is protected under the HIPAA Privacy Rule?

Protected Health Information includes any individually identifiable health information held or transmitted by a covered entity or business associate that relates to health status, care, or payment. It spans paper, electronic, and verbal forms, and remains protected unless properly de-identified or otherwise excluded by the rule.

How do business associate agreements protect PHI?

Business Associate Agreements define what PHI a vendor may access, the specific purposes allowed, and the safeguards required. They mandate incident and breach reporting, flow-down obligations to subcontractors, limits on further disclosures, and return or destruction of PHI at contract end, creating enforceable controls around PHI use.

What are the responsibilities of covered entities under HIPAA?

Covered entities must publish a Notice of Privacy Practices, train staff, implement reasonable safeguards, limit PHI uses and disclosures, and honor individual rights such as access and amendment. They also need policies, sanctions, and documentation processes that demonstrate ongoing Privacy Rule compliance.

How does the Minimum Necessary Standard apply to PHI access?

You should grant role-based access, design reports and queries to return only the fields needed, and require justification for non-routine requests. The standard does not apply to treatment, disclosures to the individual, valid authorizations, or situations required by law or HHS oversight.